Re: Learning one's tools
Dave Beagle wrote: > Code reviews are dumb and not needed by good programmers Counterpoint: Code reviews are -most- essential when the authors are experts. Why is that? Because experts are most able to churn out code that functions correctly for today’s requirements, but that some less-expert future maintainer will have a difficult time modifying to suit a new requirement without introducing a bug. “Standards” may feel stifling and inefficient to someone who wants to output “working” code as quickly as possible, and especially one with a deep desire to display their cleverness. [Dear reader, does that sound like anyone you know?] In general, code written for the set of list-relevant platforms should be reviewed with the expectation that it will be maintained for decades longer than the original author is employed, and eventually by a generalist with significantly less overall depth of compiler-specific or arcane platform knowledge. It’s an extremely hard balance to strike, to be sure, but it’s never too early or too late to start trying. Jared Hunter Rocket Software Rocket Software, Inc. and subsidiaries ¦ 77 Fourth Avenue, Waltham MA 02451 ¦ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: RACF, external password management
Hi all, I’m an architect/implementor on the IBM Z MFA team since the prehistory / notional phase of the product. If folks would be interested in one or more “office hours” style Q+A sessions about the product and its (many, sometimes exotic) features, feel free to reach out to me at this address. No sales touch implied, just a question-driven tour of the tech and design philosophy. -Jared Jared Hunter Strategic Architect, Security Rocket Software, USA E: jhun...@rocketsoftware.com<mailto:jhun...@rocketsoftware.com> Date: Fri, 1 Mar 2024 06:24:45 + From: Timothy Sipples mailto:sipp...@sg.ibm.com>> Subject: Re: RACF, external password management Linda Hagedorn wrote: >This is very promising. Do you know where I can read more about ZMFA? The documentation landing page is here: https://www.ibm.com/docs/en/zma<https://www.ibm.com/docs/en/zma> >I'm interested in knowing how to configure the external source, and how >the token is passed back to RACF, and how long the token lasts. >For example, if systems programmers are working a problem, we >wouldn't want the token to expire in 3 hrs. >Or does the token last for the duration of the session? >If tso/ispf times out (sysprog is doing research or answering >mgmt questions), will they have to generate a new token? If for example you’re configuring ZMFA to use a LDAP server as an “external” factor then this landing page has further details: https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap<https://www.ibm.com/docs/en/zma/2.3.0?topic=customization-configuring-ldap> I put the word external in quotation marks because the LDAP server could be z/OS’s LDAP server or some other LDAP server running on the same IBM Z machine. And LDAP is just one example. Many “external” and external factors’ interfaces are supported. You can configure ZMFA for “out-of-band” authentication so that users obtain what’s called a “cache token credential” (CTC) to log into RACF (via TSO/E for example). You can choose whether the CTC is reusable and how quickly it expires. https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout<https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-policy-token-timeout> https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable<https://www.ibm.com/docs/en/zma/2.3.0?topic=policies-setting-cache-token-credential-be-reusable> — Timothy Sipples Senior Architect Digital Assets, Industry Solutions, and Cybersecurity IBM Z/LinuxONE, Asia-Pacific sipp...@sg.ibm.com<mailto:sipp...@sg.ibm.com> Rocket Software, Inc. and subsidiaries ¦ 77 Fourth Avenue, Waltham MA 02451 ¦ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Assembler analysis
Peter wrote: > TANSTAFL -- There ain't no such thing as a free lunch. You have to put in the > effort to understand the original code This, but with a twist. zArchitecture (s390 and s390x) are listed as supported by IDA Pro. https://hex-rays.com/products/ida/processors/ Depending on how well-commented the original ASM is, the right application of disassembly to graphs, giant displays, and coffee* might get you to high-quality supportable HLL faster than inspecting/converting the original source. -Jared Jared Hunter Director of Software Engineering, Z Security Rocket Software 77 Fourth Avenue • Waltham, MA 02451 • USA t: +1 781 684 2162 • m: +1 617 821 3745 • e: jhun...@rs.com<mailto:jhun...@rs.com> • he / him / his Rocket Software, Inc. and subsidiaries ¦ 77 Fourth Avenue, Waltham MA 02451 ¦ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: IBM ZDNT Learner's Edition - beware
Practically speaking, I think the License text means you can Learn to Develop and Test so long as no one is paying you, and you have no present good-faith intent to sell anything you may Develop or Test in the environment. Per Sebastian's comment about Open Source, I think the odds are very high that some code that began life inside a ZDnT system will make its way into COTS software. As someone partially responsible for running an extremely IP-clean shop, I'm a little concerned about that, and would personally love it if OSS developed in a ZDnT would clearly identify itself as such. But as someone who understands that the future of the mainframe hinges on developing talent, and that scaled mainframe endpoints drive a lot of human value, my hope/expectation is that IBM has "priced in" that particular risk. Overall, broader access to a licensed version of z/OS is a Good Thing™. Please don't abuse it. -Jared Jared Hunter Director of Software Engineering, Z Security Rocket Software 77 Fourth Avenue • Waltham, MA 02451 • USA t: +1 781 684 2162 • m: +1 617 821 3745 • e: jhun...@rs.com<mailto:jhun...@rs.com> • he / him / his Rocket Software, Inc. and subsidiaries ¦ 77 Fourth Avenue, Waltham MA 02451 ¦ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Mainframe Multi factor authentication possibilities
Hi Jake, Disclosure: I'm one of the architects of IBM MFA for z/OS. The goal of multi-factor authentication is to strengthen the link between a human being and the actions taken by a logical account (because a logical account is what the SAF-implementing ESM is capable of authorizing and auditing). Sharing a single (or few) logical accounts across many human beings is an anti-pattern that is incompatible with that goal. The only way to satisfy the criteria, as written, would be to depend on a layer entirely outside z/OS and the ESM to handle both a) authentication mechanics and b) authorization and auditing of all user actions. I personally would never recommend this approach, as it takes control away from the ESM and dramatically reduces the utility of its audit logs. But if your mainframe environment is very limited (only running 3270 and SSH, say) maybe that approach could be made to work / pass an audit. I'm happy to take questions off-list. -Jared Jared Hunter Senior Manager, Z Security Rocket Software 77 Fourth Avenue • Waltham, MA 02451 • USA t: +1 781 684 2162 • m: +1 617 821 3745 • e: mailto:jhun...@rs.com • he / him / his Date: Tue, 25 Aug 2020 11:16:09 +0400 From: Jake Anderson Subject: Mainframe Multi factor authentication possibilities Hello, Cross posted. We are planning to implement 2FA for mainframe logons. Here we have a challenge where we use a common mainframe ID and would like to know if there is a way to enforce 2FA which can identify a person based on fingerprint or any other mechanism which can identify a person even if he uses common mainframe ID. Could someone share your experience if you have a similar set up in your datacenter ? z/OS 2.2 Jake Rocket Software, Inc. and subsidiaries ■ 77 Fourth Avenue, Waltham MA 02451 ■ Main Office Toll Free Number: +1 855.577.4323 Contact Customer Support: https://my.rocketsoftware.com/RocketCommunity/RCEmailSupport Unsubscribe from Marketing Messages/Manage Your Subscription Preferences - http://www.rocketsoftware.com/manage-your-email-preferences Privacy Policy - http://www.rocketsoftware.com/company/legal/privacy-policy This communication and any attachments may contain confidential information of Rocket Software, Inc. All unauthorized use, disclosure or distribution is prohibited. If you are not the intended recipient, please notify Rocket Software immediately and destroy all copies of this communication. Thank you. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN